Support for Windows Vista Service Pack 1 (SP1) ends on July 12, 2011. To continue receiving security updates for Windows, make sure you're running Windows Vista with Service Pack 2 (SP2). For more information, refer to this Microsoft web page: Support is ending for some versions of Windows.

INTRODUCTION

Microsoft has released security bulletin MS09-042. To view the complete security bulletin, visit one of the following Microsoft Web sites:

More Information

Additional information about this security update

What does this security bulletin address?This security update addresses reflection protection in the Telnet protocol. For more information about Reflection Protection, please review the following security bulletin:

What is Extended Protection?This security update contains a defense in-depth fix to allow for the Telnet client and server to opt in to extended protection. By default, this functionality is disabled. Please review this security update and the following security advisory closely which describe Extended Protection in more detail to make sure that you know the affect of these changes:

To be able to enable Extended Protection for Telnet, make sure that the updates in Security Advisory 968389 and in this article are installed on both the client and server computers.

Note The client-side setting that enables Extended Protection is a system-wide setting. When this setting is enabled, Extended Protection is enabled for all components on the client computer.

On a server, Extended Protection has to be enabled for each component individually. Make sure that all client components for a particular server are updated for Extended Protection before you enable it on server or else authentication failures may occur.After both security updates are installed, you will then have to enable Extended Protection on both client and server computers.

To enable Extended Protection on your computer, the following changes are required.

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

The default value for ExtendedProtection is set to 0. On Windows Vista, you have to manually create this key and provide the appropriate value as per the hardening mode that is selected. To add the registry value, follow the steps that are listed earlier in this article under "How do I enable Extended Protection on my computer?"

Default allowed SPNs on a Telnet server:

By default, the Telnet server will allow the following list of names and IPs:

"localhost" as a string in English.

All the variants of IP (IPv4 & IPv6) of your own server or computer.

127.0.0.1 & ::1

Hostname in NetBIOS format

Hostname in FQDN format.

If the administrator decides to allow other SPNs, he can add more names as follows. The name will not be converted from NetBIOS to FQDN or from FQDN to NetBIOS:

If the AllowedSPN registry value is not present, start Registry Editor and then follow these steps:

Locate and then click the following key in the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TelnetServer\1.0\

On the Edit menu, point to New, and then click Multi-String Value.

Type AllowedSPN, and then press ENTER.

On the Edit menu, click Modify.

Add the aliases that you want to be allowed as SPNs. The following entry is a valid SPN for Telnet:

telnet/machineName

Click OK, and then exit Registry Editor.

Known issues with this security update

On computers that are running Windows XP, or on servers that are running Windows Server 2003, you may experience the following localhost failure on IPv6 addresses and computer aliases:

Microsoft Telnet clients will not connect to local IPv6 addresses and all localhost aliases except for "localhost" and "hostname."

To resolve this issue, follow the appropriate steps:

For an IPv6 address failure, follow the steps in the "Known issues with this security update" section of the following Knowledge Base article:

You cannot Telnet on a cluster name and FQDN. You will have to add the cluster name and FQDN to the AllowedSPN registry value. See the "When you install this package" section for information about how to do this.

You cannot Telnet to a server by using an alias name. You will have to add the alias name to the AllowedSPN registry value. See the "When you install this package" section for information about how to do this.

This update will not be offered to Windows 2000 customers who have Services for Unix installed on their systems.

FILE INFORMATION

The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time and with your current daylight saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.

Windows 2000 file information

For all supported editions of Microsoft Windows 2000 Service Pack 4

File name

File version

File size

Date

Time

Platform

Msv1_0.dll

5.0.2195.6926

125,200

07-Apr-2005

23:21

x86

Netlogon.dll

5.0.2195.7011

366,864

07-Apr-2005

23:24

x86

Sp3res.dll

5.0.2195.7151

6,276,608

29-Feb-2008

13:26

x86

Telnet.exe

5.0.33670.4

80,656

08-Jan-2009

16:20

x86

Windows XP and Windows Server 2003 file information

The files that apply to a specific milestone (RTM, SPn) and service branch (QFE, GDR) are noted in the "SP requirement" and "Service branch" columns.

GDR service branches contain only those fixes that are widely released to address widespread, critical issues. QFE service branches contain hotfixes in addition to widely released fixes.

In addition to the files that are listed in these tables, this software update also installs an associated security catalog file (KBnumber.cat) that is signed with a Microsoft digital signature.

For all supported x86-based versions of Windows XP

File name

File version

File size

Date

Time

Platform

SP requirement

Service branch

Telnet.exe

5.1.2600.3587

76,288

12-Jun-2009

11:50

x86

SP2

SP2GDR

Tlntsess.exe

5.1.2600.3587

80,896

12-Jun-2009

11:50

x86

SP2

SP2GDR

Telnet.exe

5.1.2600.3587

76,288

12-Jun-2009

11:49

x86

SP2

SP2QFE

Tlntsess.exe

5.1.2600.3587

80,896

12-Jun-2009

11:49

x86

SP2

SP2QFE

Telnet.exe

5.1.2600.5829

76,288

12-Jun-2009

12:31

x86

SP3

SP3GDR

Tlntsess.exe

5.1.2600.5829

80,896

12-Jun-2009

12:31

x86

SP3

SP3GDR

Telnet.exe

5.1.2600.5829

76,288

12-Jun-2009

12:03

x86

SP3

SP3QFE

Tlntsess.exe

5.1.2600.5829

80,896

12-Jun-2009

12:03

x86

SP3

SP3QFE

For all supported x64-based versions of Windows Server 2003 and of Windows XP Professional x64 edition

File name

File version

File size

Date

Time

Platform

SP requirement

Service branch

Telnet.exe

5.2.3790.4528

104,448

01-Jul-2009

22:53

x64

SP2

SP2GDR

Tlntsess.exe

5.2.3790.4528

129,536

01-Jul-2009

22:53

x64

SP2

SP2GDR

Telnet.exe

5.2.3790.4528

104,448

01-Jul-2009

22:50

x64

SP2

SP2QFE

Tlntsess.exe

5.2.3790.4528

129,536

01-Jul-2009

22:50

x64

SP2

SP2QFE

For all supported x86-based versions of Windows Server 2003

File name

File version

File size

Date

Time

Platform

SP requirement

Service branch

Telnet.exe

5.2.3790.4528

76,288

11-Jun-2009

14:39

x86

SP2

SP2GDR

Tlntsess.exe

5.2.3790.4528

83,968

11-Jun-2009

14:39

x86

SP2

SP2GDR

Telnet.exe

5.2.3790.4528

76,288

11-Jun-2009

13:59

x86

SP2

SP2QFE

Tlntsess.exe

5.2.3790.4528

83,968

11-Jun-2009

13:59

x86

SP2

SP2QFE

For all supported IA-64-based versions of Windows Server 2003

File name

File version

File size

Date

Time

Platform

SP requirement

Service branch

Telnet.exe

5.2.3790.4528

194,560

01-Jul-2009

22:53

IA-64

SP2

SP2GDR

Tlntsess.exe

5.2.3790.4528

222,720

01-Jul-2009

22:53

IA-64

SP2

SP2GDR

Telnet.exe

5.2.3790.4528

194,560

01-Jul-2009

22:49

IA-64

SP2

SP2QFE

Tlntsess.exe

5.2.3790.4528

222,720

01-Jul-2009

22:49

IA-64

SP2

SP2QFE

Windows Vista and Windows Server 2008 file information

The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:

Version

Product

Milestone

Service branch

6.0.6000.16xxx

Windows Vista

RTM

GDR

6.0.6000.20xxx

Windows Vista

RTM

LDR

6.0.6001.18xxx

Windows Vista SP1 and Windows Server 2008 SP1

SP1

GDR

6.0.6001.22xxx

Windows Vista SP1 and Windows Server 2008 SP1

SP1

LDR

6.0.6002.18xxx

Windows Vista SP2 and Windows Server 2008 SP2

SP2

GDR

6.0.6002.22xxx

Windows Vista SP2 and Windows Server 2008 SP2

SP2

LDR

Service Pack 1 is integrated into the release version of Windows Server 2008. Therefore, RTM milestone files apply only to Windows Vista. RTM milestone files have a 6.0.0000.xxxxxx version number.

GDR service branches contain only those fixes that are widely released to address widespread, critical issues. LDR service branches contain hotfixes in addition to widely released fixes.

The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are listed separately. MUM and MANIFEST files, and the associated security catalog (.cat) files, are critical to maintaining the state of the updated component. The security catalog files (attributes not listed) are signed with a Microsoft digital signature.

For all supported x86-based versions of Windows Server 2008 and of Windows Vista

File name

File version

File size

Date

Time

Platform

Telnet-client-ppdlic.xrm-ms

Not Applicable

3,168

10-Jun-2009

11:52

Not Applicable

Telnet.exe

6.0.6000.16868

206,848

10-Jun-2009

11:41

x86

Telnet-client-ppdlic.xrm-ms

Not Applicable

3,168

10-Jun-2009

11:50

Not Applicable

Telnet.exe

6.0.6000.21065

206,848

10-Jun-2009

11:36

x86

Telnet-client-ppdlic.xrm-ms

Not Applicable

3,197

10-Jun-2009

11:58

Not Applicable

Telnet.exe

6.0.6001.18270

206,336

10-Jun-2009

11:45

x86

Telnet-client-ppdlic.xrm-ms

Not Applicable

3,197

10-Jun-2009

15:25

Not Applicable

Telnet.exe

6.0.6001.22447

206,336

10-Jun-2009

11:33

x86

Telnet-client-ppdlic.xrm-ms

Not Applicable

3,197

10-Jun-2009

11:23

Not Applicable

Telnet.exe

6.0.6002.18049

71,168

10-Jun-2009

09:43

x86

Telnet-client-ppdlic.xrm-ms

Not Applicable

3,197

10-Jun-2009

11:27

Not Applicable

Telnet.exe

6.0.6002.22150

71,168

10-Jun-2009

09:46

x86

Tlntsess.exe

6.0.6000.16868

88,576

10-Jun-2009

10:06

x86

Tlntsess.exe

6.0.6000.21065

88,576

10-Jun-2009

09:54

x86

Tlntsess.exe

6.0.6001.18270

88,576

10-Jun-2009

09:56

x86

Tlntsess.exe

6.0.6001.22447

88,576

10-Jun-2009

10:02

x86

Tlntsess.exe

6.0.6002.18049

88,576

10-Jun-2009

09:43

x86

Tlntsess.exe

6.0.6002.22150

88,576

10-Jun-2009

09:46

x86

For all supported x64-based versions of Windows Server 2008 and of Windows Vista